Yahoo to Facebook Get What They Wanted From NSA Review

The recommendations, which Obama isn’t obligated to adopt aim to alter spy programs in response to a domestic and international backlash over the extent of U.S. surveillance exposed by former NSA contractor Edward Snowden. Photographer: Mandel Ngan/AFP via Getty Images

Dec. 19 (Bloomberg) -- A presidential advisory panel on
government surveillance recommended satisfying a demand of
Internet companies such as Yahoo! Inc. and Facebook Inc. while
putting new burdens on telecommunications providers to retain
data for future snooping.

The five members of the Review Group on Intelligence and
Communications Technology offered 46 policy changes that would
allow U.S. surveillance programs to continue while limiting
worldwide collection of communications by the National Security
Agency.

The panel recommended that the NSA retain access to bulk
phone-calling records, with two changes: Phone companies, not
the spy agency, should keep the records, and the NSA should have
to obtain court orders for specific customer data.

The proposals, which Obama isn’t obligated to adopt, aim to
alter spy programs in response to a domestic and international
backlash over the extent of U.S. surveillance exposed by former
NSA contractor Edward Snowden.

Senator Charles Schumer, a New York Democrat, said he
expected Congress to vote on legislation adjusting the NSA
programs, including expanding disclosure and judicial review
aspects, early next year. “My view is that there are reforms
that can be made that don’t interfere, don’t get in the way of
our security,” Schumer told reporters today.

Studying Recommendations

White House press secretary Jay Carney said the
administration will take several weeks to “study the review
group’s report and determine which recommendations we should
implement.”

“Broadly speaking, it is our view that the report is
thoughtful, comprehensive and serious work,” Carney said.

Internet companies have been lobbying President Barack
Obama and Congress to let them make public the extent of
government prying into their data. The panel agreed with their
argument that the secrecy poses a risk to their businesses.

“If the government is working closely or secretly with
specific providers, and if such providers cannot assure their
users that their communications are safe and secure, people
might well look elsewhere,” the report said.

The panel recommends legislation allowing Internet
companies to publicly release “general information” about
government orders compelling them to turn over data, including
how many users are affected.

Obama’s Proposals

Obama, who met with technology executives on the matter on
Dec. 17, plans to announce next month what actions he’ll take.
He already rejected one of the recommendations -- that the NSA
get civilian leadership instead of being directed by the
military officer in charge of the U.S. Cyber Command.

AT&T Inc., T-Mobile US Inc. and other telecommunications
carriers could face new burdens to retain customer data if Obama
accepts another of the panel’s recommendations. They might be
required to store and secure bulk phone records, such as numbers
dialed and call durations, for longer than they do now on behalf
of the government -- a proposal that some privacy advocates say
would outsource spying.

“The government should not be permitted to collect and
store mass, undigested, non-public personal information about
U.S. persons for the purpose of enabling future queries and
data-mining for foreign intelligence purposes,” the panel
wrote.

Encryption Standards

The current program under which the NSA obtains and stores
the data “was not essential to preventing attacks,” and
information needed to thwart terrorist plots “could readily
have been obtained in a timely manner using conventional” court
orders, the panel wrote.

The panel also recommended that the U.S. not do anything to
undermine or weaken encryption standards, and establish
international norms to prevent a splintering of the Internet.

Google Inc. and other companies have expressed outrage over
reports that the NSA has broken encryption and hacked into
fiber-optic cables abroad to obtain data on their users.

The report also said there should be new criteria for
eavesdropping on foreign leaders, and the NSA’s electronic
spying operations should be separated from the agency’s computer
network defense operations.

Outsourcing Spying

The government should be allowed to take advantage of
vulnerabilities in computer code when necessary -- commonly
known as zero-day exploits, the panel said.

The proposal to shift the retention of phone records to the
telecommunications companies or other third-party providers
“doesn’t solve the problem of how much is gathered, when it’s
gathered, how it’s gathered and how it’s used,” Ed Black,
president and chief executive officer of the Computer and
Communications Industry Association in Washington, said in a
phone interview.

“It’s an attempt to outsource surveillance,” he said.
“Realistically it winds up trying to make private companies the
agents of government, quasi-governmental agents, and it really
isn’t going to work.”

Senator Dianne Feinstein, a California Democrat and
chairman of the Senate intelligence committee, has said an NSA
analysis persuaded her that it would be too costly to store the
metadata with the carriers.

The only acceptable revision is to stop the collection of
bulk data, Kevin Bankston, policy director for the Washington-based Open Technology Institute, a policy and research
organization, said in a phone interview.

Judicial Review

The phone companies also might resist being required to
retain bulk records for the government.

“I expect our members would oppose the imposition of data
retention obligations that would require them to maintain
customer data for longer than necessary,” Jot Carpenter, vice
president of government affairs for CTIA-The Wireless
Association, said before the final report was released. The
Washington-based trade group represents AT&T and T-Mobile.

While not ending bulk records collection, the panel makes
“solid recommendations,” including stronger judicial review
and legal standards for spying, James Lewis of the Center for
Strategic and International Studies in Washington, said in a
phone interview.

“It means that the operators won’t be making the decisions
themselves, they’re going to have to go to a court,” he said.
“It goes a long way to strengthening oversight.”

Advisory Panel

Bankston said his group was “cautiously optimistic” about
the proposed restraints. “We hope that the president and
Congress will heed the group’s recommendation against bulk data
collection and act immediately to end the NSA’s metadata
dragnet,” he said.

Obama should accept the recommendations and end the bulk-data collections, Anthony Romero, executive director of the
American Civil Liberties Union, said in a statement. “NSA’s
surveillance programs are un-American, unconstitutional, and
need to be reined in,” he said.

The panel, established by Obama in August, is made up of
Richard Clarke, a former U.S. cybersecurity adviser; Michael
Morell, a former deputy CIA director; Geoffrey Stone, a
University of Chicago law professor; Cass Sunstein, a Harvard
Law School professor who once worked in the administration; and
Peter Swire, who served on Obama’s National Economic Council.

The panel’s report was the second blow this week to the
government’s collection of bulk data. A federal judge ruled Dec.
17 that the NSA’s phone records collection program is probably
illegal.

“We are not in any way recommending the disarming of the
intelligence community,” Morell told reporters yesterday. “I
do not believe as a 33-year intelligence officer that our
recommendations will in any way undermine” the intelligence
community or national security.